SonarQube Community Edition is coming with rules dedicated to the security domain mainly for Java, C# and PHP. I let you heck the Vulnerability and Security Hotspots rules for each language directly on https://rules.sonarsource.com/java/type/Vulnerability.
We don’t provide yet a nice display of our coverage of OWASP Top 10, CERT, SANS Top 25 but by using the Tags available on each rule you can find what you are looking for. For example, here are the rules for Java related to OWASP Top 10

SQ Developer Edition is coming with a more advanced engine dedicated to the security domain and in particular it implements 6 rules for Java and C# (PHP should come later this year).

Complimentary to that is the support of security hotspots for each language, which is coming pretty rapidly (4 additional languages supported with SonarQube 7.4 announced last week). As well as always more powerful rules to detect vulnerabilities in your code (on top of the key rules mentioned in that blog post already).